1. Manuals
  2. Brands
  3. H3C Manuals
  4. Network Router
  5. S5830V2 series
  6. Security configuration manual

Protocols And Standards; Fips Compliance; Ipsec Tunnel Establishment; Implementing Acl-Based Ipsec - H3C S5830V2 Security Configuration Manual

Hide thumbs Also See for S5830V2:
Table of Contents

Advertisement

The device supports the following data flow protection modes:
Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule
is protected by one IPsec tunnel that is established solely for it.
Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL.
This mode is only used to communicate with old-version devices.
Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is
identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode
consumes more system resources when multiple data flows exist between two subnets to be
protected.

Protocols and standards

RFC 2401, Security Architecture for the Internet Protocol
RFC 2402, IP Authentication Header
RFC 2406, IP Encapsulating Security Payload
RFC 4552, Authentication/Confidentiality for OSPFv3

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see

IPsec tunnel establishment

The switch supports establishing only ACL-based IPsec tunnels.
An ACL-based IPsec tunnel protects packets identified by an ACL. To establish an ACL-based IPsec tunnel,
configure an IPsec policy, reference an ACL in the policy, and apply the policy to a physical interface. By
referencing various ACL rules, you can configure flexible IPsec policies according to your network
conditions.

Implementing ACL-based IPsec

To ensure a successful ACL-based IPsec setup, read the feature restrictions and guidelines carefully before
you configure an ACL-based IPsec tunnel.

Feature restrictions and guidelines

ACLs for IPsec tunnel take effect only on traffic that is generated by the device and traffic that is destined
for the device. They do not take effect on traffic forwarded through the device. For example, an
ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it does not protect
data flows and voice flows that are forwarded by the device. For more information about configuring an
ACL for IPsec, see
"Configuring an
ACL."
"Configuring
244
FIPS") and non-FIPS mode.

Advertisement

Table of Contents
loading

Related Manuals for H3C S5830V2

Related Content for H3C S5830V2

This manual is also suitable for:

S5820v2

Table of Contents